Sunday, December 26, 2010

Combination of Oracle UCM 11g and Oracle WebCenter/ADF 11g technologies will help you to implement document management applications. There is a special area you should keep in mind - security. Sometimes is not too obvious and can make your system open for hacking attacks. I will describe possible scenario how one user can view all documents and how to prevent this with UCM security accounts, if tight security must be enabled for your system.

As a condition for our experiment, all Content Repository folders are protected by security group - HumanResources:

File is being uploaded by redsam1 user for employee #id = 206:

Another file for employee #id = 200:

When user selects employee, UCM path is calculated and it restricts from navigation through other folders. If user selects employee #id = 200, this means WebCenter Content Manager ADF task flow will bring documents only from that folder mapped with employee #id = 200. If user is restricted to see employee #id = 206 data, this means documents are unaccessible as well? No - we still can open documents. While employee #id = 200 is selected, right click on any of the documents and select Copy Link:

Copy paste this link into new tab of the same browser:

Selected image is rendered as expected:

Now we can remove document and folder names from URL path, try to open root folder:

And here we go - we can see documents folders for other employees (even it is prevented in WebCenter Content Management ADF task flow):

Even more, we can enter into other employee (#206) documents folder:

View and download existing documents:

Of course, this can be done only by the user, who is authorized to login into the system. But still, this user can view other users documents without authorization, simply by changing hardcoded URL path directly:

Document is downloaded:

If documents stored inside different folders share common security level, it is enough to apply only one Security Group - then users assigned with that Security Group will be able to browse through those folders using URL path. However, if users of the same Security Group are not allowed to browse through other users folders, additionally to UCM Security Groups, we need to apply UCM Security Accounts. In theory, we could have different Security Groups for different users, but then we will end up in too many different Security Groups. This means, we should apply intersection between Security Groups and Security Accounts in UCM Content Repository.

Oracle WebCenter 11g provides out of the box ADF task flows for Oracle UCM 11g content repository management - Oracle Universal Content Management 11g and Oracle ADF/WebCenter 11g Integration. It might be not enough, especially when implementing custom solutions. For those custom cases, we have option to define Data Control connection and retrieve information about stored documents through Bindings layer. One practical use case - select and retrieve ID's for the selected documents, store those ID's into database table. I will describe in this blog, how to retrieve selected documents ID's from Data Control defined on Content Repository connection.

However if we want to implement custom screens, for example like this custom list-of-values with documents for selected employee, we need to use Data Control generated for Content Repository connection:

Users will be able to select multiple documents and store their selection into database (custom functionality):

ID's and names for the selected documents are retrieved and can be processed in ADF:

Data Control for Content Management connection is created directly from Content Repository connection:

By default, document ID is not included into Data Control attributes list. You should add one more attribute, name it id (or give any other name you like) and change type to Long:

JCR Path points to Oracle UCM 11g Content Repository metadata structure. You will retrieve document ID, by pointing to jcr:content/idc:metadata/idc:dID. This will bring ID for current document:

Standard ADF Data Control is generated, there is getItems(path, type) method to retrieve list of documents from Content Repository by predefined path and type (all, documents or folders):